|
|||||||
| The Security Tutorials Forum Original tutorials written about a variety of security-related subjects. |
 |
|
|
Thread Tools | Display Modes |
December 13th, 2003, 10:28 PM
|
#1 |
|
Banned
Join Date: Dec 2003
Posts: 138
 |
2 days to learning all about NTFS ADS viruses.
Hi everyone.Well I've created much fuss around in this forum through my last article on viruses that cannot be deteted by any AntiVirus software.I didn't know how I can get back the good image I've lost,so I wrote this 2 day report on NTFS ADS viruses.I've researched and researched this topic a lot of times before writing this report.I hope it somehow pays back for my last post.Since this is a 2 day report,I thought I shouldn't post the reports for both of the days here because it wouldn't make sense.Therefore,if you like this report,you can get the Day 2 for free from my website by the link given at the end of this article.
I hope it proves useful. 2 days to learning all about NTFS ADS viruses. Day 1: What is NTFS ADS? Well,ADS stands for Alternate Data Streams.It is a feature of the NTFS file system.It allows data to be attached to files but this data remains completely invisible to some file reading utilities.This feature can be used by viruses to exploit systems.Wanna see how it works?Then may be we have to get started with some practical stuff. Getting started. What you'll need..... Well,what we are going to do now isn't going to work unless you have got NTFS file system installed on the drive you'll work at.(I got almost half crazy trying to get it to work on one of my drives that had FAT32 and couldn't realize what was wrong.Then I checked the file system and was like OHH Stupid Me!Anyways...)However if you do not have FAT32 installed on any of your drives and you can't get one that has it installed,then just read the rest of this article....you'll get an idea of what I'm talking about.However if you do have a drive with NTFS installed,then great!Lets do it! First of all,make a seperate folder in the drive that has NTFS installed.Name that folder "test".Now,you must be having a little knowledge of how to use Ms.DOS.If no,then visit this page.Learn Ms.DOS through the free tutorials provided and then return here. If you already have a little know-how of Ms.DOS,then we can get started right away. Learning how to create ADSs. An ADS is really simple to create if you know have a little knowlegde of Ms.DOS.Just lauch Ms.DOS and point to the folder "test" on whatever drive you have the folder on.Lets say you have test installed on Drive C:\ so you'll have to point to the folder C:\Test. Now,type the following line: echo"this text is visible">1.txt What's happening here,is that the echo command is creating the file "1.txt" and putting the words"this text is visible" into that file. Now,when you open the folder C:\Test through windows explorer you should see the file 1.txt and when you double click that file,you should be able to read the words"this text is visible" in that file.Now,lets move on creating our first ADS in that file. At the command prompt,type the following line: echo "and this this text is invisible">1.txt:ads1.txt This command creates an ADS,or a data stream in the file 1.txt.This data stream cannot be viewed by windows explorer or Ms.DOS.If you open the folder C:\test through Windows Explorer then you will see only one file,named 1.txt.You wouldn't see any other file.And,even if you try the DIR command through Ms.DOS,you will still see only one file named 1.txt in that folder.Also,by creating 1.txt and adding an ADS to it,we have used some 54 bytes of memory.However,we see that the DIR command shows only 24 bytes occupied by the folder.You may even check the size of the folder through Windows Explorer(you can do so by opening drive C,right clicking on the folder Test and choosing properties.)Still you would see only 24 bytes occupied by the folder.The only way you can view the ADS you just added to the file,is by typing the following command at the command prompt: notepad 1.txt:ads1.txt This will open up a notepad window and will show the file we just created.This is the only way you can read the ADSs attatched to a file.However,now there is a free tool available which scans the entire drive or a given directory for AdSs. It lists the names and size of all alternate data streams it finds.It is called Lads.You can download Lads now from http://www.heysoft.de.If you ever come across a file that you doubt has some ADSs attached to it and you want to read what's in the ADSs then LADS is the program for you. You can use LADS to find the names of all of the ADSs attached to that file/folder.Then you can use the notepad command to view the contents of the ADSs.This is very useful if you are not sure if a particular folder or file has ADSs attached to it or not and if you want to view the contents of the ADSs. Well,that's all for now.Tomorrow I will show you how NTFS ADS can be used to create viruses,and also how you can remove ADSs from a file without losing the original data it contains.As for today,you may want to practice creating ADSs and experiment with them. Get the rest of this report from: http://www.virustimes.cjb.net/2days/membersonly.html |
|
|
|
December 14th, 2003, 01:19 AM
|
#2 |
|
Banned
Join Date: Dec 2003
Posts: 26
|
 I crashed cmd.exe I was going to try something. I took a little file I made with c++, called password.exe. So I opened it up in notepad and copied everything. Then, at the command prompt, I type echo ", and right there I pasted the contents of the program because I wanted to do this: echo "program contents" > password.exe:adspassword.exe but when I pasted it the computer beeped a few times as the text rolled accross the screen and when it finished pasting my command prompt window disappeared, lol. Oh well, maybe I will try a different program later, I think that some of the characters didn't agree with cmd.exe. Cool stuff to fool around with, thanks for enlightening me to this feature of ntfs file systems ali1. |
|
|
|
|
December 14th, 2003, 01:29 AM
|
#3 | |
|
Senior Member
Join Date: Sep 2003
Posts: 179
 |
Nice to see a change
Quote:
I believe you meant NTFS in the above line. Nice job, much better then your other posts as of date. You may want to double check your typos and such, (you have many missed spaces). Other then that it was informative and well written, and as far as I know the info is accurate. Well Done. DeafLamb Edit: It seems that I have recenly give ali1 antipoints, trying to balance a thread which I believe was negged unfairly. http://www.antionline.com/showthread...756#post695756 Could someone please give him some positives for me, I do believe he is attempting to change his ways and I think that diserves credit, many would just leave after taking the abuse he has. DeafLamb |
|
|
|
|
|
December 14th, 2003, 02:01 AM
|
#4 | |
|
Banned
Join Date: Dec 2003
Posts: 26
|
Quote:
|
|
|
|
|
|
December 14th, 2003, 03:31 AM
|
#5 |
|
Antionline Herpetologist
Join Date: Aug 2001
Posts: 1,165
 |
Nice post. It covered something that was totally unknown to me. It would be nice to have something on how ADS works though. Otherwise, both parts of the post are quite nice.
Cheers, cgkanchi
__________________
Buy the Snakes of India book, support research and education (sorry the website has been discontinued) My blog: http://biology000.blogspot.com |
|
|
|
|
December 14th, 2003, 03:55 AM
|
#6 |
|
Senior Member
Join Date: Sep 2003
Posts: 179
|
Well good to see things are going better for ali1, I leave for dinner and when I return he's gone from two reds to a nice pretty gray. It seems that some also thought that he was being punished to harshly for his eagerness to please.
Borrowing from cgkanchi's signature "never meddle in the affairs of AOers for they are subtle and quick to neg" DeafLamb |
|
|
|
|
December 14th, 2003, 05:08 AM
|
#7 |
|
Senior Member
Join Date: Sep 2001
Posts: 1,027
|
It just occured to me that ADS could probably be used to hide stuff from disk quotas too... Has anyone tried it or know if it does work?
Edit: Yup, just tested it: works... Ammo
__________________
Credit travels up, blame travels down -- The Boss |
|
|
|
|
December 14th, 2003, 05:14 AM
|
#8 |
|
Senior Member
Join Date: Jun 2003
Posts: 134
|
I don't know if you saw my previous post but I covered ADS in it.
http://www.antionline.com/showthread...hreadid=251463
__________________
Sysmin Sys73m47ic -The Hacker Pimps -Development Team {FuxorWRT} http://www.AntiOnline.com/sig.php?imageid=563 |
|
|
|
|
December 14th, 2003, 05:22 AM
|
#9 |
|
Senior Member
Join Date: Sep 2001
Posts: 1,027
|
Oups, sorry, no I hadn't read it...
Ammo
__________________
Credit travels up, blame travels down -- The Boss |
|
|
|
|
December 14th, 2003, 08:28 AM
|
#10 |
|
Member
Join Date: Feb 2003
Posts: 95
|
Wow! That was very informative! A great post in my opinion
 But this does raise the question of "why?" in my mind.... Why would Microsoft put that feature into their file system?? <Conspiracy Theory> Correct me if I'm wrong, but NTFS was used in all Microsoft OS's after Windows 2000... And DCOM was also included in all versions of windows after 2000 right? Hmm, I wonder why would they make a feature that hides files on peoples systems and then put in another feature that allows them to get into any system they want??? Its farfetched, but anyone in the know  at microsoft could have exploited millions of computers (about 90% in the world) </Conspiracy Theory> Lol! anyways... Great post!
|
|
|
|
|
| Bookmarks |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 11:48 AM.